(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 

International Bureau 

(43) International Publication Date 
22 August 2002 (22.08.2002) 




PCT 



(10) International Publication Number 

WO 02/065352 Al 



(51) International Patent Classification 7 : G06F 17/60 

(21) International Application Number: PCT/AU02/Q0150 

(22) International Filing Date: 14 February 2002 (14.02.2002) 

(25) Filing Language: English 

(26) Publication Language: English 



(30) Priority Data: 

21225/01 



15 February 2001 (15.02.2001) AU 



(71) Applicant (for all designated States except US): EWISE 
SYSTEMS PTY LTD [AU/AU]; Level 14, 132 Arthur 
Street, North Sydney, New South Wales 2060 (AU). 

(72) Inventors; and 

(75) Inventors/Applicants (for US only): GR1NBERC, 
Alexander [AU/AU]; Level 14, 132 Arthur Street, North 
Sydney, New South Wales 2060 (AU). KONTOROVICH, 
Michael [AU/AU]; Level 14, 132 Arthur St, North Syd- 
ney, New South Wales 2060 (AU). REYBURN, Colin 
[AU/AU]; Level 14, 132 Arthur Street, North Sydney, New 
South Wales 2060 (AU). CHAZAN, Mark [AU/AU]; 



Level 14, 132 Arthur Street, North Sydney, New South 
Wales 2060 (AU). 

(74) Agent: GRIFFITH HACK; GPO Box 4164, Sydney, New 
South Wales 2001 (AU). 

(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU, 
CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH, 
GM t HR, HU, ID, IL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NO, NZ, OM, PH, PL, PT, RO, RU, SD, SB, SG, 
SI, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, UZ, 
VN, YU, ZA, ZM, ZW 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), 
European patent (AT, BE, CH, CY, DE, DK, ES, FI, FR, 
GB, GR, IE, IT, LU, MC, NL, PT, SE, TR), OAPI patent 
(BF, BJ, CF, CG, CI, CM, GA, GN, GQ, GW, ML, MR, 
NE, SN, TD, TG). 

Published: 

— with international search report 

[Continued on next page] 



(54) Title: SECURE NETWORK ACCESS 



m 
m 

IT) 
© 

r5 



,9 1 


"i 


USER 




PRESENTATION 


PROFILE 




MANAGER 



ACA 
DIRECTORY 




NETWORK 
GATEWAY 


16^ 13-^ 



PRIVATE 
KEY 
REPOSITORY 



-15 



5^ 

1ft -^ [browser I 



USER 
SYSTEM 







ACAP 






SITE 






ACA 




ACAP 




H 


SITE 




/ i r 





DIGITAL 




ACA 


SAFE 




ENGINE 




' 1 ACAP 

SITE 



INFORMATION 
PROVIDER 
SYSTEM 



IN FORM AVION 
PROVIDER 
SYSTEM 



SECURE 
NETWORK 
SITE 



INFORMATION 
PROVIDER 
SYSTEM 



o 



(57) Abstract: The present invention relates to a system and method for facilitating access to secure network sites, such as sites 
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computing system and to use the passwords and identifiers to extract required information from the secure site. The password sites 
and identifiers are encrypted and an encryption key is stored at a network mode remote from the user's computer and is fetched in 
order to enable the passwords and identifiers to be decrypted so that the active agent can use them to obtain the required information. 
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SECURE NETWORK ACCESS 

Field of the Invention 

The present invention relates to a system and method 
5 for facilitating access to secure network sites and, 

particularly, but not exclusively, to a system and method 
for facilitating access directly by a user to a plurality 
of secure network sites and extracting information and/or 
data held by the network sites. 

10 

Background of the Invention 

The use of secure network sites to provide private 
information to users is becoming more prevalent. Secure 
network sites are available for providing information on 

15 financial markets, private financial information (status 
of bank accounts) and many others. To obtain access to a 
secure network site a user usually requires some form of 
secure access means, such as a unique user identifier and 
a password, in order to enable them to access the network 

20 site services. 

A user may require access to many different network 
sites providing different services. For example, they may 
have a number of bank accounts, as well as requiring 
access to other sites providing private information or, 

25 for example, providing information for a price. In these 
circumstances, the user may require many different access 
means, e.g. many different passwords. Remembering so many 
different passwords is a problem. To assist, the user may 
record the passwords in a "safe place''. This leads to a 

30 security problem, as an unauthorised user (e.g. a 

"hacker") may be able to access the recorded secure access 
means and obtain entry to the users secure network sites. 

In an attempt to address this problem, it is known to 
provide third party account aggregation services. An 

35 account aggregator stores, at a secure site remote from 
the user network node, the users secure access means for 
entry to the secure network sites that the user subscribes 



SUBSTITUTE SHEET (RULE 26) ISA/AU 



WO 02/065352 PCT/AU02/00150 

- 2 - 

to. The user is provided with a single further secure 
access means for access to the account aggregator site 
(e.g. a single user identifier and password) . The user 
can request the account aggregator to access the users 
5 network services and the account aggregator employs the 
stored user secure access means to do so on the users 
behalf . 

There are a number of problems associated with such 
third party account aggregation services. Perhaps the 

10 major problem is that many institutions who run private 
network access sites, e.g. financial institutions such as 
banks, require that a user be the only person who uses the 
secure access means for entry to their sites. This is a 
legal requirement addressed in the terms and conditions of 

15 use, and the use of a third party account aggregator 
service having this information can breach this legal 
requirement. A number of institutions in Australia have 
in fact already taken action to block access to their 
secure sites by third party account aggregators. 

20 Another problem is that the aggregator sites are 

desirable sites for hackers and other unauthorised 
persons. They store the secure access means for many 
users and if security can be breached, the rewards to the 
hacker can be great (access to many users secure network 

25 services) . Security of sites is therefore a major problem 
and cost. 

There is a need for a system which enables a user to 
access a plurality of secure network sites without 
requiring a plurality of separate secure access means, 

30 while maintaining security and control of the secure 
access means by the user. 

It is to be understood that, if any prior art 
publication or reference to prior art is made herein, such 
reference does not constitute an admission that the prior 

35 ' art forms a part of the common general knowledge in the 
art, in Australia or any other country. 
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Summary of the Invention 

The present invention, in at least a preferred 
embodiment, provides a system and method which enables a 
user requiring access to a plurality of secure network 
5 sites, to institute queries to the plurality of secure 
network access sites using a single secure access means, 
the queries being initiated from a user computing system 
and not from any third party aggregator system. 

In accordance with a first aspect of the present 

10 invention, there is provided a system for facilitating 
access by a user to a secure network site, the system 
including an active agent arranged to access the network . 
site on behalf of the user, the active agent being 
arranged, in response to a user query, to obtain access 

15 means for enabling access to the secure site, and to 

utilise the access means to extract private information 
from the secure network sites. 

Preferably, the active agent is arranged to obtain 
the user access means from a user access means depository. 

20 The user access means depository is preferably 

accessible only by way of the user computing system and is 
preferably stored on the user computing system. The 
active agent must therefore access the user access means 
via the user computing system. Preferably, instigation of 

25 queries to obtain information from secure network sites is 
therefore totally at the behest and control of the user. 
Preferably, no third party controls the process. 

Preferably, the system facilitates access by a user 
to a plurality of secure network sites. 

30 The active agent is preferably a software agent. 

Preferably, the system includes a plurality of active, 
agents. A particular active agent may be associated with 
a particular secure network site. Preferably, the active 
agents include security authorisation means, authorising 

35 them for access to a particular network site. Preferably, 
agent authorisation means are provided for the user system 
for checking the security authorisation means of the 
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active agent. Active agents are preferably "published" 
and available on the network for use by users. 
Preferably, owners of secure network sites authorise 
active agents for access to their secure network sites. 
5 Preferably, the user access means depository is a 

secure depository. 

The user access means are preferably stored in the 
secure depository in an encrypted form. Preferably, a 
decryption key for decrypting the encrypted secure access 

10 means is stored in a decryption key repository. The 
decryption key repository is preferably only available 
from a further secure network site preferably being remote 
from the user system. The user is preferably provided 
with further access means in order to enable them to 

15 access the further secure network sites to obtain the 
decryption key. The decryption key can subsequently be 
used to decrypt the encrypted access means stored in the 
secure depository, so that they can be used by the active 
agent (s) to access the secure network site{s) and obtain 

20 the information" required by the user. 

This system has the advantage that the user needs 
only one access means (the further access means for 
accessing the decryption key repository) in order to 
access a plurality of secure network sites. The active 

25 agents, once activated, obtain the decrypted secure access 
means from the secure depository and access the secure 
network sites on the users behalf. .All this is at the 
initiation of and under the control of the user, not a 
third party aggregator. ' Legal problems and liability 

30 problems and security problems are therefore avoided. 

In the preferred embodiment, as discussed above, the 
active agent is arranged to obtain the access means' from 
elsewhere, in this case a user access means depository. 
In an alternative embodiment, however, the active agent 

35 may already be provided with the user access means. 

In accordance with a second aspect, the present 
invention provides a method of facilitating access to 
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secure network sites, comprising the steps of utilising an 
active agent to obtain user access means and utilise the 
secure access means to obtain content from the secure 
network access site. 
5 In accordance with a third aspect of the present 

invention, there is provided a security authorisation 
means arranged to authorise an active agent for access to 
a particular secure network site, the active agent being 
arranged to access the network site on behalf of a user, 

10 and being arranged, in response to a user query, to obtain 
access means for enabling access to the secure site, and 
to utilise the access means to extract private information 
from the secure network site. 

The security authorisation means is preferably a 

15 software security authorisation means, and may be a tool 
such as a digital certificate or any other security 
identifier. 

In accordance with a fourth aspect of the present 
invention, there is provided a system for facilitating 

20 access by a user to a secure network site, the system 

comprising a decryption key repository which is accessible 
by a user system via the network to enable the user system 
to obtain a decryption key associated with the user, the 
decryption key being able to decrypt encrypted user access 

25 means so that they can be used to access secure sites. 

Preferably, an active agent is used to access the 
secure sites with the access means, as discussed above in 
relation to the first aspect of the present invention. 
In accordance with a fifth aspect of the present 

30 invention, there is provided a computer program arranged, 
when loaded into a computing system, to control the 
computing system to provide an active agent arranged to 
access network sites on behalf of a user, the active agent 
being arranged, in response to a user query, to obtain 

35 access means for enabling access to the secure site, and 

to utilise the access means to extract private information 
from the secure network site. 
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In accordance with a sixth aspect of the present 
invention, there is provided a registration system for 
facilitating registration to a system for facilitating 
access by a user to a secure network site, the system for 
5 facilitating access by a user to a secure network site 
including an active agent arranged to access the network 
site on behalf of the user, the active agent being 
arranged, in response to a user query, to obtain access 
means for enabling access to the secure site, and to 

10 utilise the access means to extract private information 
from the secure network site, the registrations system 
including a directory listing active agents that a user 
may obtain access to. 

Preferably, the registration system includes a means 

15 for providing a decryption key to be associated with a 

user being registered, the decryption key being arranged 
to decrypt encrypted access means for access to secure 
network sites. 

In accordance with a seventh aspect of the present 

20 invention, there is provided an agent provider sit for 
providing an active agent arranged to access a secure 
network site on behalf of a user, the active agent being 
arranged, in response to a user query, to obtain access 
means for enabling access to the secure site, and to 

25 utilise the access means to extract private information 
from the secure site, the provider site including an 
active agent repository storing an active agent for access 
by the user system. 

Preferably, an agent provider site may provide a 

3 0 plurality of active agents from the repository, each of 

the active agents being arranged to access a corresponding 
secure network site. 

In accordance with an eighth aspect of the present 
invention, there is provided a user system for 

35 facilitating access to secure network sites, the user 
system including an active agent engine, arranged to 
execute an active agent on behalf of the suer, the active 
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agent being arranged to access a network site on behalf of 
the user and, in response to a user query, to obtain 
access means for enabling access to the secure site and to 
utilise the access means to extract private information 
5 from the secure network site. 

Preferably, the active agent engine is arranged to 
obtain the access means. 

Preferably, the user system also includes a 
presentation manager arranged to present the private 

10 information extracted by the active agent. 

In accordance with a ninth aspect of the present 
invention, there is provided a method of operating a 
system for facilitating access by a user to a secure 
network site, the system including an active agent 

15 arranged to access the network site on behalf of the user, 
the active agent being arranged, in response to a user 
query, to obtain access means for enabling access to the 
secure site and to utilise the access means to extract 
private information from the secure network site, the 

20 method comprising the steps of making the active agent 
available at a first network node remote from a user 
system, and providing the active agent to the user system 
in response to a user request. 

The method preferably includes the further steps of 

25 making a decryption key for decrypting user access means 
in encrypted form, available at a further network node 
remote from the user system and active agent repository, 
and providing the decryption key to the user system on 
request by the user, whereby the decryption key can be 

30 used to decrypt the access means so that the access means 
can be used by the active agent to access the secure 
network site. 



35 Brief description of drawings 

Features and advantages of the present invention will 
become apparent from the following description of an 
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embodiment thereof, by way of example only, with reference 
to the accompanying drawings, in which; 
Figure 1 is a schematic block diagram of a system in 
accordance with an embodiment of the present invention; 
5 Figure 2 is a flow diagram showing steps in the operation 
of obtaining information from secure network sites 
utilising a system of the embodiment of figure 1, and 
Figure 3 is a flow diagram illustrating steps in the 
operation of a registration process to register to use the 
10 system of figure 1. 

Description of best embodiment 

The preferred embodiment of the present invention as 
described in the following include components that are 

15 operable on computer systems and may be implemented by 
software or hardware or a combination of software or 
hardware. It will be appreciated that there may be many 
ways in which the functionality of the following 
components may be implemented by a skilled 

20 software/hardware person. All ways of implementing the 
functionality of the components fall within the scope of 
the present invention. 

Figure 1 is a block diagram illustrating 
implementation of a system in accordance with an 

25 embodiment of the present invention. 

The system provides for a plurality of active agents, 
in this embodiment known as active content agents (ACAs) . 
In this embodiment the ACAs are available from an active 
content agent provider (ACAP) site, reference numerals 1, 

30 2 and 3, of which there may be any number. The ACAP sites 
are preferably Web sites which may be operated by suitably 
programmed computing systems (not shown) connected to the 
Internet 4. ACAs from the ACAP sites are obtained by a 
user system 5. The user system may be any computing 

35 system which is able to access a network such as the 

Internet 5. It may be a personal computer, for example, 
or a local area network, or any other configuration of 
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computing system. Note that only one user system 5 is 
shown in the figure 1 diagram, but it will be appreciated 
that there may be many user systems 5 that can operate in 
accordance with the system of the present invention. 
5 The user system stores a plurality of user access 

means in a digital safe 6. The user access means may 
include passwords and user IDs for access to secure 
network sites, reference numeral 7, 8, 9,- operated by 
information provider systems 10, 11, 12 having access to 

10 the Internet 4. Note that there may be any number of 

secure network sites and ACAP sites and three are shown in 
figure 1 for purposes of illustration and example only. 
Further, the secure access means may be any means which 
enables access via a secure channel to the secure network 

15 site and may include a password, digital certificate PIN, 
finger print, or any other type of key. 

The ACAs are configured to be able to take the secure 
access means and utilise the secure access means to access 
the particular secure network site which the ACA is 

20 configured for. Information from the secure site is 
brought back to the user system by the ACA. 

The system will now be described in more detail. 
Firstly, operation of the system to enable registration of 
a user with the system will be described, then operation 

25 to obtain information from secure network sites will be 
described in detail. 

System set up and registration 

ACAs are published by ACA providers and made 

30 available on the network. An ACA must be verified as 
secure. If it is not, it is unlikely that information 
providers will allow ACAs to have access to their secure 
network sites. In many cases, in fact, an information 
provider may also be an ACA provider. In order to ensure 

35 security, the ACAP applies for and receives a digital 
certificate verifying the ACAPs identity from a Network 
Membership Authority (not shown) . The Network Membership 
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Authority may be accessible via the network 4. The ACA is 
developed and the digital certificate issued by the 
network authority is attached, and the ACA is then 
published on the network ACAP site. A digital certificate 
5 is merely one form of security authorisation means. It 
will be appreciated that any form of security 
authorisation means may be utilised. The Network 
Membership Authority may earn revenue for providing the 
authorisation to the ACAs . 

10 To register with the system, a user accesses a 

network gateway 13 (which will be supported by a network 
system, not shown) using a suitable access program such as 
a browser 14. The user provides standard registration 
information, such as address, security information, etc. 

15 For security purposes, it may even be sometimes necessary 
for a user to attend manually an office and provide 
identification information, such as passport or driving 
license . 

Once the registration information has been provided, 
20 the user receives a unique private key which is 

subsequently stored in a private key repository 15, 
accessible via the network gateway 13 . The user can then 
access and select from the list of ACAs offered by the 
network gateway. The search for available ACAs may be 
. 25 performed using an active content agent directory 16. The 
user will select ACAs which are associated with the secure 
network sites e.g. bank account sites, which he wishes to 
access. Subsequently, the users are prompted to enter 
their user identifiers and account passwords (i.e. their 
30 secure access information for the secure network sites 
they are associated with) to be stored in their digital 
safe 6 . 

This registration process is summarised in the flow 
chart of figure 3. At step 20, the user accesses the 
35 network gateway and provides their registration 
information. 

At step 21, the user accesses the list of the ACAs 
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and selects the ACAs for their secure network sites. 

At step 22, the user provides the secure access means 
(password and user identification, for example) for each 
of the ACAs . 

5 At step 23, the digital safe is loaded with the 

secure access means. 

The user is also provided with some software modules 
for use on the user system. These include a presentation 
manager 17 which is arranged to present information 

10 retrieved by ACAs. It also includes an ACA engine 18 
which is arranged to authorise ACAs (by checking their 
digital certificates) and execute ACAs. The user profile 
19 is also, in this embodiment stored on the user system 
5. It may be, alternatively, stored on the network 

15 gateway 13 or at another remote site. 

Operation of system 

Operation of the system to obtain information from 
secure network sites for users will now be described. 

20 Figure 2 summarises the steps in operation of the system. 

A user wishing to obtain information, e.g. financial 
information, details of their bank accounts, or other 
private information, from secure network sites 7, 8 and 9 
first of all accesses the network gateway 13 to securely 

25 access the private key repository 15. The user identifier 
and password which is entered via the network gateway and 
the ACA engine running on the user system 5 receives the 
private key from the private key repository 15 (step 30 of 
figure 2) . 

30 Note that the user identifiers and account passwords 

(access means) stored in the digital safe are stored in an 
encrypted manner. The private key is able to decrypt the 
access means stored in the digital safe, in order to 
enable the agents to subsequently use the decrypted access 

35 means to obtain access to the secure network sites 7, 8,, 
9. Because the private key is kept in the private key 
repository 15 at a location remote from the user system 5, 
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even if a hacker manages to break into the user system and 
the digital safe, they will not be able to decrypt the 
user access means. All the users secure information is 
therefore safe, even though it is all kept in one place on 
5 the user system. 

The ACA engine 18 receives the users private key and 
uses it to decrypt the information in the digital safe, 
when it is executing the ACAs. Once the ACA engine 18 has 
decrypted the required access means, the users private key 

10 is discarded from the user system. The users private key 
therefore does not remain on the user system and any 
hacker attempting to obtain the access means of the user 
will not be able to decrypt the access means because they 
will not have the private key. 

15 Once the private key has been retrieved by the ACA 

engine, the ACA engine retrieves the user profile 19 (step 
31) . The ACA engine 18 then retrieves the ACAs from the 
addresses /URLs specified in the user profile, of the ACAP 
sites 1,2,3 (step 32) . 

20 The ACA engine subsequently authenticates the ACAs by 

utilising the digital certificates associated with each 
.ACA, to ensure that the ACAs are the ACAs provided for 
access to the secure network sites 7, 8, 9 (step 33). 

Each ACA retrieved is then executed by the ACA engine 

25 to extract information from the secure network sites 7, 8, 
9 and provide that information for presentation to the 
user via the presentation manager 17 (step 34) . 

The ACA automates the process of accessing the 
.information providers network mode, accessing, for 

3 0 example, the users accounts held by the information 

provider, using the users account access means stored in 
their digital safe, and communicating the extracted 
information to the presentation manager 17 . The 
presentation manager 17 is able to display the extracted 

35 information to the user. Internet based information 
provider services, such as on-line banking, can be 
accessed by the ACA and user specific information ' 
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extracted such as account balances . 

The ACA in the preferred embodiment will be in the 
form of a software agent. The ACA may present multiple 
forms of user authentication, depending upon its 
5 programming. For example, it could present SmartCard, 
digital certificate, biometric and any other forms of 
authentication. Further, because the ACA is software 
which can be built by a ACAP, it can be arranged to allow 
the user to automate the access process to the site and 

10 the information provided from the site, through automated 
presentation and applicable user authentication of 
attributes and instructions. An ACA, because of its 
flexibility, is capable of replicating all actions which a 
site may require a user to perform as part of the user 

15 authentication process. This could include any 

authentication process, e.g. automated random mouse 
movement . 

ACA pre-defined actions may include accessing the 
target website, navigating the target website and 

20 authenticating the user to the target site, navigating the 
site to identify user-specific information, such as bank 
account balances and presenting information to the user in 
a summary form, as well as any other pre-defined actions 
that can be programmed. 

25 Additionally, for example, the ACA may perform a 

number of pre-defined transactions on the target site 
including e.g. electronic bill payment and electronic 
funds transfer. The ACA is capable of being programmed to 
automate, on behalf of an authenticated user any and all 

3 0 transactional functions supported by the target site. 

The ACA may therefore, perform multiple tasks, 
depending on programming, because it is an agent. 

In a preferred embodiment, where a plurality of ACAs 
have access to a plurality of secure network sites 7, 8, 

35 9, the presentation manager is able to display the 

information in summary form on a single screen. The 
presentation manager 17 may be utilised by the user to 
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vary the form in which the information is presented. 

Further, in a preferred embodiment, links are 
provided by the presentation manager directly to the 
secure network sites e.g. hyper-linking via HTML. For 
5 example, a user may execute a bank ACA. The current 

details of their accounts with that bank will be displayed 
via the presentation manager 17, and the user will be able 
to click on the bank link and be taken directly into their 
bank account accessible on the network. This is done 
10 without leaving the system of the present invention, so 
that the user can link back to the summary page and link 
to other sites without having to provide further secure 
access information to log on again to the other sites. 

The following paragraphs summarise the components of 
15 the system of the present invention. 

1. A Private Key Provider is a Network node allowing 
secure access to a Private Key Repository to a 
Network user. 

2. A Private Key Repository is a database kept by the 
20 Private Key Provider which is capable of storing the 

Network users' private keys. 
3 . A Network user authentication mechanism is maintained 
by the Private Key Provider to provide secure user 
authentication prior to the release of the private 
25 key from the Private Key Repository to a user. 

4. An Active Content Agent Provider is authorised by the 
Network Membership Authority to publish Active 
Content Agents on the Network by providing security 
verification and identification, such as digital 

3 0 certificates. 

5. Active Content Agent software program capable of 
accessing an Information Provider Network node and 
extracting information, such as a user's account 
balance and other account date. For user data 

35 protected through unique user identifiers and 

passwords by the Information Provider, an ACA is 
capable of extracting the relevant account access 
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data from the user's Digital Safe and presenting it 
to the Information Provider for user authentication. 
An ACA is capable of making the data extracted from 
the Information Provider available to the ACA 
5 Presentation Manager and enables automated access to 

the Information Provider network node by the user. 
The presented results may have links which allow the 
user to connect directly to the Information 
Provider's Network node. An ACA is capable of being 
10 authenticated by the ACA Engine as being published by 

an authorised Active Content agent Provider, using 
techniques such as digital signatures . 

6. Information Provider is an organisation for which one 
or more ACAs have been published by authorised ACA 

15 Providers . An ACA Provider can be an Information 

Provider . 

7 . A Network Gateway is a Network access point for a 
user which provides access to other nodes on the 
Network and/or perform functions of other Network 

2 0 nodes. A Network Gateway can provide and maintain a 

User Profile Repository. 

8. An Active Content Agent Directory which provides a 
searchable list and/or search engine to locate Active 
Content agents published on the Network. 

25 9. Network Membership Authority authorises access to the 
Network for Active Content Agent Providers and 
Network Gateways through provision and control of 
authentication mechanisms, such as digital 
certificates . 

30 10. Network Access Authentication mechanism, such as 
digital certificate or user ID password, etc. 

In the above embodiment, the network that is used to 
implement the system is the Internet. It will be 
35 appreciated that this system may operate on any network, 
being an Intranet, local area network, or any other type. 
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In the embodiment described above, the user seeks to 
access a plurality of secure network sites using a 
plurality of active agents. It is possible that one 
active agent may have the functionality to access a number 
5 of active sites, rather than having an active agent for 
each site. Further, a user may require access to only a 
single secure network site. This is particularly useful 
in the case where the access means is rather complex (some 
secure sites require passwords which are very long and 

10 very difficult to remember) . In such a case it is still 
useful to have the facility of the present invention 
utilising an active agent to access the secure site. 

In the above-described embodiment, access is via a 
user computing system such as a PC. The user computing 

15 system may be any type of computing device, however, 
including, but not limited to, a personal digital 
assistant (PDA), mobile phone or other mobile device, 
digital or interactive television set-type box or 
SmartCard device. 

20 A digital safe may be any entity (software and/or 

hardware) that can store the user access means. In the 
simplest terms, it may merely be a memory are where the 
user access means are stored, preferably in encrypted 
form. In the above-described embodiment, the digital safe 

25 is stored on the user computer. It may not be. It may 
stored elsewhere, as long as access is obtainable by way 
of the user computer. 

It will be appreciated by persons skilled in the art 
that numerous variations and/or modifications may be made 

30 to the invention as shown in the specific embodiments 
without departing from the spirit or scope of the 
invention as broadly described. The present embodiments 
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are, therefore, to be considered in all respects as 
illustrative and not restrictive. 
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THE CLAIMS DEFINING THE INVENTION ARE AS FOLLOWS: 

I. A system for facilitating access by a user to a 
secure network site, the system including an active agent 

5 arranged to access the network site on behalf of the user, 
the active agent being arranged, in response to a user 
query, to obtain access means for enabling access to the 
secure site, and to utilise the access means to extract 
private information from the secure network site. 
10 2 . A system in accordance with claim 1, wherein the 
active agent includes security authorisation means, 
authorising the active agent for use with the system. 

3. A system in accordance with claim 2, wherein the user 
system includes authorisation means for checking the 

15 security authorisation means of the active agent. 

4. A system in accordance with claim 1, 2 or 3, further 
including a user access means depository storing user 
access means for the secure sites. 

5. A system in accordance with any one of preceding 
20 claims, wherein the access means are stored in encrypted 

f orm. 

6. A system in accordance with claim 5, further 
comprising a decryption key repository remote from the 
user system, the decryption key repository storing a 

25 decryption key for decrypting the encrypted access means. 

7. A system in accordance with any one of the preceding 
claims, wherein the user access means is accessible only 
via the user computing system. 

8. A system in accordance with claim 7, wherein the user 
30 access means is stored on the user computer system. 

9 . A system in accordance with any one of the preceding 
claims, being arranged to facilitate access to a plurality 
of secure network sites. 

10. A system in accordance with claim 9, including a 
35 plurality of active agents for accessing a plurality of 

respective secure network sites. 

II . A system in accordance with any one of the preceding 
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claims, further comprising an active agent repository 
stored at a network node remote from the user computing 
system, the active agent being available from the active 
agent repository. 
5 12 . A method of facilitating access to secure network 
sites, comprising the steps of utilising an active agent 
to obtain user access means and utilising the secure 
access means to obtain content from the secure network 
access site. 

10 13 . A security authorisation means arranged to authorise 
an active agent for access to a secure network site, the 
active agent being arranged to access the network site on 
behalf of the user, and being arranged, in response to a 
user query, to obtain access means for enabling access to 

15 the secure site, and to utilise the access means to 

extract private information from the secure work sites. 

14. A system for facilitating access by a user to a 
secure network site, the system comprising a decryption 
key repository which is accessible by a user system via 

20 the network to enable the user system to obtain a 

decryption key associated with the user, the decryption 
key being able to decrypt encrypted user access means so 
that they can be used to access secure sites. 

15. A registration system for facilitating registration 
25 to a system for facilitating access by a user to a secure 

network site, the system for facilitating access by a user 
to a secure network site including an active agent 
arranged to access the network site on behalf of the user, 
the active agent being arranged, in response to a user 

30 query, to obtain access means for enabling access to the 
secure site,. and to utilise the access means to extract 
private information from the secure network site, the 
registration system including a directory listing active 
agents that a user may obtain access to 

35 16. An agent provider site for providing an active agent 
arranged to access a secure network site on behalf of a 
user, the active agent being arranged, in response to a 
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user query, to obtain access means for enabling access to 
the secure site, and to utilise the access means to 
extract private information from the secure site, the 
provider site including an active agent repository storing 
5 an active agent for access by the user system. 

17. A user system for facilitating access to secure 
network sites, the user system including an active agent 
engine, arranged to execute an active agent on behalf of 
the user, the active agent being arranged to access the 

10 network site on behalf of the user and, in response to a 
user query, to obtain access means for enabling access to 
extract private information from the secure network site. 

18. A method of operating a system facilitating access by 
a user to a secure network site, the system including an 

15 active agent arranged to access the network site on behalf 
of the user, the active agent being arranged, in response 
to a user query, to obtain access means for enabling 
access to a secure site and to utilise the access means to 
extract private information from the secure network site, 

20 the method comprising the steps of making the active agent 
available to the first network node remote from a user 
system, • and providing the active agent to the user system 
in response to a user request. 

19. A computer program arranged, when loaded into a 
25 computing system, to control the computing system to 

provide an active agent arranged to access network sites 
on behalf of the user, the active agent being arranged, in 
response to a suer query,, to obtain access means for 
enabling access to the secure site, and to utilise the 
30 access means to extract private information form the 
secure network site. 

20. A computer program arranged, when loaded into a 
computing system, to control the computing system to 
provide a security authorisation means arranged to 

35 authorise an active agent for access to a particular 

network site, the active agent being arranged to access a 
network site on behalf of a user, and being arranged, in 
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response to a user query, to obtain access means for 
enabling access to the secure site, and to utilise the 
access means to extract private information from the 
secure network site. 
5 21. A computer program arranged, when loaded into a 
computing system, to control the computing system to 
provide a decryption key, the decryption key being able to 
decrypt encrypted user access means so that they can be 
used to access secure sites. 

10 22. A computer program arranged, when loaded into a 
computing system, to control the computing system to 
provide an active agent engine, the active agent engine 
being arranged to execute an active agent on behalf of a 
user, the active agent arranged to access a network site 

15 on behalf of the user and, in response to a user query, to 
obtain access means for enabling access to the secure site 
and to utilise the access means to extract private 
information form the secure network site. 

23 . A computer readable medium storing a computer program 
20 in accordance with any on of claims 19 to 22. 
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